View Issue Details

IDProjectCategoryView StatusLast Update
14376Bug reports[All Projects] Securitypublic2019-01-24 16:05
ReportermanuelvsousaAssigned ToDenisChenu 
PriorityurgentSeveritymajor 
Status resolvedResolutionfixed 
Product Version3.15.x 
Target VersionFixed in Version3.15.x 
Summary14376: XSS in version 3.15.5 - Survey Resource zip upload
Description

By performing this attack, a zip file when uploaded as Survey resource can execute javascript code in order to steal important parts of admin cookie (CSRF tokens, etc).

This works by uploading a file with a payload. In this case I used the name <svg onload=alert(document.cookie)>.php
Then we also have to have a .xml file with the file in order to get the upload right. In this case, the xml must contain:

    &lt;logo>
        &lt;filename>files/&lt;svg onload=alert(document.cookie)>.php&lt;/filename>
    &lt;/logo>

Check the attached exploit.zip in order to check more details

Steps To Reproduce
  1. Create a Survey.
  2. Click on that survey
  3. In the main panel go to resources
  4. Upload the exploit.zip file
  5. Check the javascript alert as PoC
Additional Information

Other upload parts of this project might be vulnerable using this payload.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.15.5
I will donate to the project if issue is resolvedNo
BrowserLatest version of Google Chrome and Firefox
Database & DB-VersionVer 9.1 Distrib 10.1.34-MariaDB
Server OS (if known)Ubuntu 18.04.1 LTS
Webserver software & version (if known)
PHP Version7.2

Activities

manuelvsousa

manuelvsousa

2018-12-20 18:54

reporter  

exploit.zip (5,965 bytes)
DenisChenu

DenisChenu

2018-12-21 12:38

developer   ~50059

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=28689

DenisChenu

DenisChenu

2018-12-21 12:43

developer   ~50060

Some other fix to do at another place …

About svg : i think we have an issue here : we allow svg but svg can contains bad JS, and we don't filter SVG …

DenisChenu

DenisChenu

2018-12-23 21:51

developer   ~50071

Waiting for release :)

ollehar

ollehar

2019-01-16 17:30

administrator   ~50234

Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=28760

manuelvsousa

manuelvsousa

2019-01-24 15:46

reporter   ~50301

I guess this can go public now :) . Thank you for fixing it and making the product more secure.

Related Changesets

LimeSurvey: master bfee69ed

2018-12-21 12:38:10

DenisChenu

Details Diff
[security] Fixed issue 14376: XSS in Survey Resource zip upload
[security] Fixed issue : XSS in theme zip upload
Dev: CHtml::encode filename (whole) when view
Dev: Same with import theme
Dev: some other fix to do : reporting issues
mod - application/views/admin/survey/importSurveyResources_view.php Diff File
mod - application/views/admin/themes/importuploaded_view.php Diff File
mod - application/views/admin/themes/templatesummary_view.php Diff File

LimeSurvey: develop 11e5076d

2018-12-21 12:38:10

DenisChenu


Committer: ollehar Details Diff
[security] Fixed issue 14376: XSS in Survey Resource zip upload
[security] Fixed issue : XSS in theme zip upload
Dev: CHtml::encode filename (whole) when view
Dev: Same with import theme
Dev: some other fix to do : reporting issues
mod - application/views/admin/survey/importSurveyResources_view.php Diff File
mod - application/views/admin/themes/importuploaded_view.php Diff File
mod - application/views/admin/themes/templatesummary_view.php Diff File

Issue History

Date Modified Username Field Change
2018-12-20 18:54 manuelvsousa New Issue
2018-12-20 18:54 manuelvsousa File Added: exploit.zip
2018-12-21 11:37 DenisChenu Assigned To => DenisChenu
2018-12-21 11:37 DenisChenu Status new => assigned
2018-12-21 11:37 DenisChenu Priority none => urgent
2018-12-21 11:37 DenisChenu Description Updated View Revisions
2018-12-21 11:37 DenisChenu Steps to Reproduce Updated View Revisions
2018-12-21 12:38 DenisChenu Changeset attached => LimeSurvey master bfee69ed
2018-12-21 12:38 DenisChenu Note Added: 50059
2018-12-21 12:38 DenisChenu Resolution open => fixed
2018-12-21 12:43 DenisChenu Status assigned => resolved
2018-12-21 12:43 DenisChenu Fixed in Version => 3.15.x
2018-12-21 12:43 DenisChenu Note Added: 50060
2018-12-23 21:51 DenisChenu Note Added: 50071
2019-01-16 17:30 ollehar Changeset attached => LimeSurvey develop 11e5076d
2019-01-16 17:30 ollehar Note Added: 50234
2019-01-24 15:46 manuelvsousa Note Added: 50301
2019-01-24 16:05 DenisChenu View Status private => public